GA4 Data Redaction

August 12, 2025

Let’s talk about that cold-sweat moment every marketer has: the fear that personally identifiable information (PII) has accidentally crept into your Google Analytics account. With Google’s rightly strict policies, it’s a risk that can lead to warnings or even account suspension.

While regular PII audits are non-negotiable, Google has given us a fantastic, built-in safety net.

It’s a relatively new feature called data redaction, and frankly, it’s one of the first things you should check in any GA4 setup. I have added to my Google Analytics audits and any GA4 set up I do.

This guide will walk you through what it is, why you need it, and exactly how to switch it on.

Think of it as a free insurance policy for your data hygiene.

What is GA4 Data Redaction?

At its core, data redaction is a process that happens before data is stored in Google Analytics. It acts as a gatekeeper, scanning the information you’re sending from your website and removing specific bits of data that look like PII.

The beauty of this is that the sensitive information never even reaches Google’s servers, which is a massive plus for compliance and peace of mind.

It works in two main ways:

Automatically redacting email addresses.
Redacting specific URL query parameters that you define.

Expert Insight This is a really nice feature to prevent personally identifiable information from reaching Google Analytics. And it's a nice fail-safe option, although I suggest you should still do a PII audit every six months or so.

The Easy Win: Automatically Removing Email Addresses

This is the simplest part of the feature and a complete no-brainer to enable.

When you toggle this on, Google uses text-pattern recognition to spot anything that looks like an email address in the data it’s collecting. If it finds a potential match (e.g., something containing an ‘@’ symbol followed by a domain), it redacts that specific piece of text while the rest of the data collection continues as normal.

It’s a powerful, set-and-forget way to prevent the most common type of PII from slipping through the cracks.

Getting Granular: Redacting Custom URL Parameters

Here’s where you can get a bit more specific.

Sometimes, due to site configuration or legacy systems, sensitive information can end up in the URL itself.

Imagine a thank-you page URL that looks like this: yourwebsite.co.uk/order-complete?customer_name=JohnSmith&ref=123

You definitely don’t want to be collecting customer_name in GA4.

The URL query parameter redaction lets you specify parameters (like customer_name in this case), and GA4 will automatically strip out the value before it’s processed.

You can add up to 30 different query parameters to your redaction list.

It’s worth having a chat with your development team to see if they are aware of any potentially sensitive parameters being used across the site.

It’s important to know this only applies to a specific set of event parameters:

- page_location
- page_referrer
- page_path
- link_url
- video_url
- form_destination

How to Setup Data Redaction (It Takes 2 Minutes)

Ready to switch it on? It’s incredibly straightforward.

Navigate to the Admin section of your GA4 property (the cog icon in the bottom left).
In the ‘Data collection and modification’ column, click on Data Streams.
Select the web data stream you want to configure. (Note: this is currently only available for web streams).
Under the ‘Events’ section, you’ll see an option called Redact data. Click it.
Here you’ll find the two main options:
- Toggle on Redact most email addresses from event data.
- Under Redact URL query parameters, enter any parameters you wish to exclude, separated by commas.
Click Save. That’s it. You’re done.

Testing

If you’ve added your URL query parameters and want to test to see how they would work, well you’re in luck.

There’s a test data redaction option at the bottom.

Enter the page URL with the query parameters and you can see how it will look like with redacted data.

Potential Issues

The system isn’t perfect, and it’s important to be aware of the main caveat.

Because the email redaction works on pattern recognition, it can sometimes produce a ‘false positive’.

For example, if a piece of text on your site happens to include an ‘@’ symbol followed by a top-level domain name (like ‘.com’ or ‘.co.uk’), GA4 might mistakenly identify it as an email and redact it.

However, let’s be realistic. The risk of accidentally redacting a small, non-sensitive piece of text is far outweighed by the benefit of preventing a serious PII breach. It’s a trade-off well worth making.

This feature is a safety net, not a replacement for good data governance.

There’s no good reason not to have this feature enabled. It’s a quick, simple, and powerful way to add a crucial layer of protection to your analytics, preventing the inadvertent collection of PII and helping you stay compliant.

Go and check your settings now—it’ll be the most productive two minutes of your day.

There is a further safety net of preventing this kind of information being sent to GA4 in the first place. If you use GTM, this is a great guide to do that.

FAQs

What is data redaction in GA4?

It’s a feature that automatically scans incoming data for likely email addresses and user-defined URL parameters, removing them before the data is ever stored in Google Analytics to help prevent PII collection.

Does data redaction remove historical data?

No. Data redaction only applies to data collected after you have enabled the feature. It cannot retroactively remove PII from data you have already collected.

Is data redaction available for app data streams?

As of now, the data redaction feature is only available for web data streams in GA4.

Should I still perform PII audits if I use data redaction?

Yes, absolutely. Data redaction is a fantastic fail-safe, but it’s not foolproof. You should still conduct regular audits of your account (we recommend every six months) to proactively search for any PII that might have been missed.

Cohort Reports

Learn to use GA4 Cohort Explorations to track retention, spot trends, and refine your marketing strategy.

Segment Overlap Report

Learn to use the GA4 Segment Overlap report to isolate complex user groups and build better retargeting lists

How to Fix the China & Singapore Bot Issue

Seeing a sudden surge in traffic from China or Singapore? Learn more about it here

Entrances in GA4

Confused by Entrances in GA4? Discover more about this metric here.

Author

Hello, I'm Kyle Rushton McGregor!

I’m an experienced GA4 Specialist with a demonstrated history of working with Google Tag Manager and Looker Studio. I’m an international speaker who has trained 1000s of people on all things analytics.